Google on Monday released the February 2025 security patch for Android devices. The update brings crucial security fixes for discovered vulnerabilities, ranging from high to critical severity, including one CVE which is said to have been “actively exploited”. Several flaws target devices powered by Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc components, while other vulnerabilities affect general system components such as framework and kernel.
February 2025 Security Patch for Android
According to Google’s Android Security Bulletin for February 2025, a total of 47 discovered vulnerabilities have been patched with the latest update. Following the rollout, the Mountain View-based technology giant has also released the source code patches for these issues to the Android Open Source Project (AOSP) repository. Google notes that one of the vulnerabilities, with the identifier CVE-2024-53104, is related to the USB Video Class (UVC) driver subcomponent and may be “under limited, targeted exploitation”.
With a high severity and a CVSS score of 7.8, it could lead to “physical escalation of privilege with no additional execution privileges needed”, as per the bulletin. While Google has not shared any other details, the National Vulnerability Database, which is the US government’s repository of standards-based vulnerability management data, describes it as a video subsystem flaw in the Linux kernel.
It occurred when the uvc_parse_format function tried handling UVC_VS_UNDEFINED frame but skipped or ignored the undefined frames, parsing them instead. The uvc_parse_streaming function, which calculates the buffer size, created this vulnerability as it tried to calculate the buffer size for the expected frames but did not account for the undefined ones. Thus, its attempt to write data steered past the allocated buffer size, creating an out-of-bounds write.
Out of the 47 vulnerabilities patched with the February 2025 update, only one has been labelled a “critical” severity, CVE-2024-45569. It has a CVSS rating of 9.8. The flaw affects WLAN subcomponent in Qualcomm devices. It also addresses issues related to framework, kernel, platform, and system.
